Bugtraq mailing list archives
Re: Cisco PIX Firewall (smtp content filtering hack)
From: "Jeffrey W. Baker" <jwbaker () ACM ORG>
Date: Wed, 20 Sep 2000 09:46:58 -0700
On Tue, 19 Sep 2000, Lisa Napier wrote:
Hi, We have been working for some time to repair this defect. We have a planned advisory to be posted next week. We do not yet have fixed code to address this issue, but expect to shortly -- this is what typically holds up the advisory process, ensuring that we have a solution to the problem reported. Unfortunately this posting does not provide a workaround, nor any real assistance to customers attempting to protect themselves. We really appreciate prior notification. We do work to get vulnerabilities fixed, and in fact were already working diligently on this one.
As a Cisco customer, I personally prefer to get notification as soon as possible. Cisco has known about this bug, but they haven't notified their customers. That is an example of stinky corporate non-ethics at work. We should be notified instantly whenever new security vulnerabilities are discovered. We always have one recourse and workaround, which is to decommission our Pix firewalls until things are fixed. Of course, this isn't Cisco's preference, so they choose instead to leave their customers in the field with equipment that has security problems which are certain to be discovered by a third party and possibly exploited. I think this scenario has mostly played out in this case. I wish vendors would get a clue and realize that their customers need secuity information RIGHT NOW, not when a fix is available. We must be able to assess our own security situation and take action based on the known risks. If we don't know about the risks, we can't assess them. Jeffrey Baker
Current thread:
- Cisco PIX Firewall (smtp content filtering hack) naif (Sep 19)
- Re: Cisco PIX Firewall (smtp content filtering hack) Lisa Napier (Sep 20)
- Re: Cisco PIX Firewall (smtp content filtering hack) Jeffrey W. Baker (Sep 21)
- Re: Cisco PIX Firewall (smtp content filtering hack) Deus, Attonbitus (Sep 21)
- Re: Cisco PIX Firewall (smtp content filtering hack) Signal 11 (Sep 22)
- Re: Cisco PIX Firewall (smtp content filtering hack) Jeffrey W. Baker (Sep 21)
- Re: Cisco PIX Firewall (smtp content filtering hack) - Version 4.2(1) not exploitable Leandro Dardini (Sep 20)
- Re: Cisco PIX Firewall (smtp content filtering hack) - Version 4.2(1) not exploitable Fabio Pietrosanti (naif) (Sep 20)
- Re: Cisco PIX Firewall (smtp content filtering hack) Ioannis Migadakis (Sep 21)
- Re: Cisco PIX Firewall (smtp content filtering hack) Lisa Napier (Sep 20)